Payment Card Industry 3-D Secure (PCI 3DS)

The 3DS SDK does not disclose sensitive 3DS SDK data elements through unintended channels.
Assessment Procedures:
T.2.4.1 Referring to the information produced in T.2.1.1, the tester shall examine vendor materials and other evidence, including source code, to determine how each of the data elements is generated/input and displayed (if displayed).

T.2.4.2 Referring to the information produced in T.2.1.1 and the details generated above, the tester shall confirm that for each sensitive 3DS SDK data element identified in T.2.1.1, the vendor has implemented protections to safeguard that data element against disclosure through unintended channels.

T.2.4.3 Where the sensitive 3DS SDK data element is input by the cardholder, the tester shall confirm that methods are implemented by the 3DS SDK to mitigate clickjacking, screen overlay, or other such input-stealing attacks.

T.2.4.4 For all sensitive 3DS SDK data elements identified in T.2.1.1, the tester shall confirm that methods are implemented by the 3DS SDK to mitigate capture of each of these elements through use of shared resources such as memory or file systems.

T.2.4.5 Referring to testing performed in Requirement 2.3, “Use of Third-Party Services,” the tester shall confirm that methods are implemented to mitigate the capture or exposure of each sensitive 3DS SDK data element as it is passed between the 3DS SDK and any third-party services or components.

T.2.4.6 Referring to the information produced in T.2.1.1, the tester shall examine vendor materials and other evidence, including source code, to confirm that only sensitive 3DS SDK data elements that are explicitly permitted to be hard-coded are stored in the source code.
T.2.4.7 The tester shall examine source code to determine whether sensitive 3DS SDK data elements which are externally generated or provided are processed in a way that indicates they are static⎯for example, where they utilize a third-party service or component, covered under Requirement 2.3, “Use of Third-Party Services,” which implements static values; or where the 3DS SDK processing clearly does not accommodate for the expected range of values which may be provided in any particular data element. In such cases, the tester shall confirm that these values are not static, and that any such attestations from the vendor are documented.

T.2.4.8 The tester shall examine vendor materials and other evidence, including source code, to identify all error, debugging, or other output functionality. Where such functionality is found, the tester shall confirm that the functionality does not result in the unintended disclosure or leakage of any sensitive 3DS SDK data elements.

T.2.4.9 The tester shall examine vendor materials and other evidence, including source code, to confirm that any functionality that results in the output of sensitive 3DS SDK data elements is intended. The tester is expected to cross reference any output functionality to the testing performed in Requirement 2.3, “Use of Third-Party Services,” to validate that all communication of sensitive 3DS SDK data elements is intended.
T.2.4.10 The tester shall test the 3DS SDK by performing a series of 3DS operations, ensuring that these cover all functionality provided by the 3DS SDK, and confirm that sensitive 3DS SDK data elements are not disclosed through unintended channels.

T.2.4.10.1 The tester shall test the 3DS SDK by attempting to capture or otherwise determine the values of sensitive 3DS SDK data elements generated, input, or processed by the 3DS SDK. The tester must attempt methods that include both on-device capture, as well as capture through monitoring of communication channels. Communication channel capture shall consider the application of traffic analysis to determine the sensitive 3DS SDK data elements communicated.

T.2.4.10.2 The tester shall attempt to capture or otherwise determine the values of sensitive 3DS SDK data elements generated, input, or processed by the 3DS SDK through capture and analysis of error codes or use of debugging/test features. The tester must attempt methods that utilize both normal and forced error flows of the processing, and determine whether any sensitive 3DS SDK data elements are leaked.
Guidance:
Proactive measures to ensure that sensitive 3DS SDK data elements are not inadvertently “leaked” should be implemented by the 3DS SDK Vendor or within the 3DS SDK. Disclosure of sensitive 3DS SDK data elements to unauthorized parties often occurs via unknown or unintended outputs or channels. For example, sensitive 3DS SDK data elements could be unintentionally disclosed through error- or exception-handling routines, logging or debugging channels, third-party services or components, or the use of shared resources such as memory, disk, files, keyboards, displays, and functions. Protective mechanisms, whether process or programmatic in nature, should be implemented to ensure that sensitive 3DS SDK data elements are not accidentally disclosed through such means. Example implementations of data leakage protection controls can be found in the EMV® 3DS SDK Technical Guide.